Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use the system trust store for HTTPS requests #1512

Merged
merged 1 commit into from
Feb 16, 2024
Merged

Use the system trust store for HTTPS requests #1512

merged 1 commit into from
Feb 16, 2024

Conversation

zanieb
Copy link
Member

@zanieb zanieb commented Feb 16, 2024

Closes #1474

Using the rustls-tls-native-roots feature

rustls-tls: Enables TLS functionality provided by rustls. Equivalent to rustls-tls-webpki-roots.

rustls-tls-webpki-roots: Enables TLS functionality provided by rustls, while using root certificates from the webpki-roots crate.

rustls-tls-native-roots: Enables TLS functionality provided by rustls, while using root certificates from the rustls-native-certs crate.

Additional context:

Prior discussion at #609

@zanieb zanieb added enhancement New feature or improvement to existing functionality registry Related to package indexes and registries labels Feb 16, 2024
@zanieb zanieb marked this pull request as ready for review February 16, 2024 16:52
@zanieb
Copy link
Member Author

zanieb commented Feb 16, 2024

The major downsides are:

  • The OS update system may, in fact, be quite poor at keeping the root certificates up-to-date if it is disabled or out-of-support.
  • The quality of the ca-certificates package on debian-based Linux distributions is poor. At the time of writing, this ships many certificates not included in the Mozilla set, either because they failed an audit and were withdrawn or were removed for mississuance.

Copy link
Member

@BurntSushi BurntSushi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems okay to me. In particular, it seems like this is the recommended approach from rustls.

@BurntSushi BurntSushi merged commit 9737b93 into main Feb 16, 2024
7 checks passed
@BurntSushi BurntSushi deleted the zb/certs branch February 16, 2024 19:07
@notatallshaw
Copy link
Collaborator

FYI, Pip is moving to this model via truststore: https://pip.pypa.io/en/stable/topics/https-certificates/

My experience is it is massively helpful in large organization environments.

charliermarsh pushed a commit that referenced this pull request Feb 23, 2024
I'm confused that we have this separate specification of `reqwests`? I'm
not sure this has any effect, but it seems like it should be done for
correctness.

Follows #1512
@carlosjourdan
Copy link

carlosjourdan commented Feb 27, 2024

Corporate network with ssl inspection firewall, custom ca on every site. Root certificate is trusted by windows, and environment variables REQUESTS_CA_BUNDLE and SSL_CERT_FILE are setup. Python requests work fine. Pip install as well. uv fails with error below.

error: error sending request for url (https://pypi.org/simple/zeep/): error trying to connect: invalid peer certificate: UnknownIssuer
  Caused by: error trying to connect: invalid peer certificate: UnknownIssuer
  Caused by: invalid peer certificate: UnknownIssuer

@zanieb
Copy link
Member Author

zanieb commented Feb 27, 2024

Hi @carlosjourdan would you mind opening a new issue?

@carlosjourdan
Copy link

Just did

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or improvement to existing functionality registry Related to package indexes and registries
Projects
None yet
Development

Successfully merging this pull request may close these issues.

How to run uv behind a corporate proxy?
4 participants